Btw, forgot to mention, when testing, make sure on the client you do a "kinit <user>" to get a valid ticket before doing your ssh login. You can check if you have a valid ticket with the "klist" command.
br, Quinn On Wed, Jul 11, 2012 at 9:56 AM, Quinn Plattel <[email protected]> wrote: > Hi Marcel, > > On the client machine (Ubuntu 12.04 LTS) I have (dpkg -l) : > ii krb5-config > 2.2 Configuration files for Kerberos > Version 5 > ii krb5-locales > 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for > MIT Kerberos > ii krb5-user > 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate > using MIT Kerberos > ii libgssapi-krb5-2 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - > krb5 GSS-API Mechanism > ii libkrb5-26-heimdal > 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries > ii libkrb5-3 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries > ii libkrb5support0 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - > Support library > ii libpam-krb5 > 4.5-3 PAM module for MIT Kerberos > ii openssh-client > 1:5.9p1-5ubuntu1 secure shell (SSH) client, for > secure access to remote machines > > On the server machine (Ubuntu 12.04 LTS) I have (dpkg -l): > ii krb5-config > 2.2 Configuration files for Kerberos > Version 5 > ii krb5-locales > 1.10+dfsg~beta1-2ubuntu0.1 Internationalization support for > MIT Kerberos > ii krb5-user > 1.10+dfsg~beta1-2ubuntu0.1 Basic programs to authenticate > using MIT Kerberos > ii libgssapi-krb5-2 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - > krb5 GSS-API Mechanism > ii libkrb5-26-heimdal > 1.6~git20120311.dfsg.1-2 Heimdal Kerberos - libraries > ii libkrb5-3 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries > ii libkrb5support0 > 1.10+dfsg~beta1-2ubuntu0.1 MIT Kerberos runtime libraries - > Support library > ii openssh-client > 1:5.9p1-5ubuntu1 secure shell (SSH) client, for > secure access to remote machines > ii openssh-server > 1:5.9p1-5ubuntu1 secure shell (SSH) server, for > secure access from remote machines > samba Version 4.0.0beta3-GIT-UNKNOWN > > Without "GSSAPIStrictAcceptorCheck no" you need an fqdn in the clients > /etc/hosts file and have all the principals needed added to the servers > keytab file, but this is not necessary if you use the parameter. > With the parameter, the only thing you need is to make sure is that on the > server /var/lib/samba/secrets.keytab is copied or linked to > /etc/krb5.keytab (sshd looks for it). You can use the keytab file as it is > without copying any extra principals into it. > > You can have a very simple /etc/hosts on the client such as: > 127.0.0.1 localhost > 127.0.1.1 ubuntu-test > > This setup probably only works for ssh kerberos. nfsv4, pam logins, and > other kerberos aware services may need strict checking. That is my next > research project. > > For ssh debugging, on the server I used -ddd for sshd and looked at both > syslog and auth.log under /var/log. On the client, I used ssh -vvvl <user> > <server> > For kerberos samba4 debugging, start samba with "-d 5" parameter and then > "tail -f /var/log/samba/log.samba|grep Kerberos:" > > br, > Quinn > > > > On Wed, Jul 11, 2012 at 8:32 AM, Ritter, Marcel - RRZE < > [email protected]> wrote: > >> Hi Quinn, >> >> I just tried your solution (my machine is also multi-homed). However it >> doesn't work for me. The man-page of sshd_config also states, that the >> behavior of "GSSAPIStrictAcceptorCheck" may depend on the used >> krb5 libraries. >> >> Could you please have a look at the krb5 and openssh versions you're >> using (and perhaps the linux distribution/version)? >> >> BTW: I'm running: >> Ubuntu 12.04 LTS >> openssh-server 5.9p1-5ubuntu1 >> libkrb5-3 1.10+dfsg~beta1-2ubuntu0.1 >> >> auth.log mentions (during failed login): >> Unspecified GSS failure. >> Minor code may provide more information: >> Wrong principal in request >> >> Thanks, >> Marcel >> >> -----Ursprüngliche Nachricht----- >> Von: [email protected] [mailto:[email protected]] >> Im Auftrag von Quinn Plattel >> Gesendet: Dienstag, 10. Juli 2012 16:08 >> An: samba >> Betreff: Re: [Samba] How do I get an ssh client to authenticate with >> samba4's kerberos GSSAPI? [Solved] >> >> Hi, >> >> I solved my ssh GSSAPI problem. There were a lot of solutions on google >> referring to a proper fqdn in the /etc/hosts file and having the >> fqdn's/principals in the kerberos server's keytab file but I found out that >> my problem was that the samba4/kerberos server was running on a multi-homed >> machine and that the ssh server kerberos authentication needed the >> following parameter in order for it to work on multi-homed machines: >> >> GSSAPIStrictAcceptorCheck no >> >> The default is yes, using "no" will, according to the manpage "clients >> may authenticate against any service key stored in the machine's default >> store." >> >> I hope this helps others that have similar setups as I do. >> >> Thank you all for your input. >> >> br, >> Quinn >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > > > -- Best regards/Med venlig hilsen, Quinn Plattel -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
